diff options
author | Changqing Li <changqing.li@windriver.com> | 2021-03-14 18:03:25 -0700 |
---|---|---|
committer | Martin Jansa <Martin.Jansa@gmail.com> | 2022-04-06 09:56:47 +0200 |
commit | e9397287779ba12a83d47ee241fdb87148fb769b (patch) | |
tree | d9cecca5e221ddf5202bb0b0aa626edd2c7249cf | |
parent | 75bcd9350452c3ceb826aeb9dbf016626d846f29 (diff) | |
download | openembedded-core-contrib-e9397287779ba12a83d47ee241fdb87148fb769b.tar.gz |
report-error.bbclass: replace angle brackets with < and >
when we have below content in local.conf or auto.conf:
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>"
send-error-report will fail with "HTTP Error 500: OK"
error-report-web do rudimentary check on all fields that are
passed to the graphs page to avoid any XSS happening, if contains
'<', the server will return error(Invalid characters in json).
fixed by use escape of <> to replace it.
NOTE: with this change, error-report-web need to add filter 'safe'
for the string wanted to display to avoid further HTML escaping
prior to output. Below is how the content displayed on webpage:
with the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>"
without the filter 'safe':
BUILDHISTORY_COMMIT_AUTHOR ?= "Khem Raj <raj.khem@gmail.com>"
Another patch for error-report-web will send to yocto mail list.
[YOCTO #13252]
Signed-off-by: Changqing Li <changqing.li@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
-rw-r--r-- | meta/classes/report-error.bbclass | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/meta/classes/report-error.bbclass b/meta/classes/report-error.bbclass index 0ddbab9071..d07aa77c54 100644 --- a/meta/classes/report-error.bbclass +++ b/meta/classes/report-error.bbclass @@ -44,6 +44,7 @@ def get_conf_data(e, filename): continue else: jsonstring=jsonstring + line + jsonstring = jsonstring.replace("<", "<").replace(">", ">") return jsonstring def errorreport_get_user_info(e): |